mbox series

[bug#33916,0/4] Make GDM usable

Message ID 87bm53n3iu.fsf@ngyro.com
Headers show
Series Make GDM usable | expand

Message

Timothy Sample Dec. 30, 2018, 2:37 a.m. UTC 
Hi Guix,

This patch series tweaks a few things in the GDM package and service so
that it kinda works.  That is to say, I have started using it as my DM,
and I have not pulled all of my hair out yet.  :)

I will start a different thread on guix-devel about what problems there
are and what is left to be done.  These patches are simple, and I want
to avoid complicating their review with open-ended questions.

The only tricky patch is the third one that deletes the “allow-root?”
configuration option.  When set, this option allows logging in to any
account *without* a password.  I don't think that was the intention, and
I don't think that feature is useful, so I removed it.  I couldn’t find
a similar setup in the example PAM config files shipped with GDM,
either.  My guess is that the option was intended to allow or disallow
root logins, but that is definitely not what it does.


-- Tim

Comments

Danny Milosavljevic Dec. 30, 2018, 9:30 a.m. UTC | #1 
Hi Timothy,

thanks!

I've pushed this series to master as:

92deb5cc920fcc7617302986180f1abee5fd2b26
89c8656200a21485fd50fe4d277792d7d56c63e0
de409e82261eb147b6614aef8731d795ca664ef0
48c8d067d4ded776939cda6f9c63c25b38ba77fc

I've taken a look at gnu/system/pam.scm where unix-pam-service is defined,
and it just does "auth sufficient pam_rootok.so".  This means that root
will be allowed to log in without password (which is what is documented
there, too).

But how come it (or gdm) then allows any user?

Fedora does it differently:

See https://fedoraproject.org/wiki/Enabling_Root_User_For_GNOME_Display_Manager

> auth required pam_succeed_if.so user != root quiet
Timothy Sample Dec. 30, 2018, 2:42 p.m. UTC | #2 
Hi Danny,

Danny Milosavljevic <dannym@scratchpost.org> writes:

> Hi Timothy,
>
> thanks!
>
> I've pushed this series to master as:
>
> 92deb5cc920fcc7617302986180f1abee5fd2b26
> 89c8656200a21485fd50fe4d277792d7d56c63e0
> de409e82261eb147b6614aef8731d795ca664ef0
> 48c8d067d4ded776939cda6f9c63c25b38ba77fc

Thank you!

> I've taken a look at gnu/system/pam.scm where unix-pam-service is defined,
> and it just does "auth sufficient pam_rootok.so".  This means that root
> will be allowed to log in without password (which is what is documented
> there, too).
>
> But how come it (or gdm) then allows any user?

More specifically, it means that root is authorized to perform whatever
action PAM is being asked about without providing a password.  In this
case, “root” is GDM itself, and the action is “log in as so-and-so”.
Hence, PAM says, “sure thing, root, log in as whoever you like!”

The part I’m not certain about is why GDM is running as root.  My
current understanding is that it is running with effective UID gdm and
real UID root.  I remember reading in the docs that “pam_rootok.so” only
cares about real UID [1].

> Fedora does it differently:
>
> See https://fedoraproject.org/wiki/Enabling_Root_User_For_GNOME_Display_Manager
>
>> auth required pam_succeed_if.so user != root quiet

That looks better.  That would be easy to add if people find it useful.
(I wouldn’t bother with it, but if Fedora does it, then it must be
popular enough.)


[1] http://www.linux-pam.org/Linux-PAM-html/sag-pam_rootok.html


-- Tim